csc 495.002 lecture 1 course introduction · 2017. 11. 15. · dr. ozg¨ ur kafalı¨ course...
TRANSCRIPT
CSC 495.002 – Lecture 1Course Introduction
Dr. Ozgur Kafalı
North Carolina State UniversityDepartment of Computer Science
Fall 2017
COURSE OVERVIEW
Basics
Dr. OzEmail: [email protected] for announcements and assignmentsCourse website: https://ozgurkafali.github.io/courses/ncsu/csc495Hours: MW 11:45AM-1:00PMLocation: EB2 1226No TA
Dr. Ozgur Kafalı Course Introduction Fall 2017 1 / 46
COURSE OVERVIEW
Grading
30% – Individual homework assignments (4 best grades out of 5assignments)
30% – Two group case studies (analysis and in class presentation)
40% – One group project (project report and in class presentation)
No midterm or final
Dr. Ozgur Kafalı Course Introduction Fall 2017 2 / 46
COURSE OVERVIEW
Homeworks
Goals:Learn to do critical reviews on privacy papersExtract privacy requirements/concerns from text-based scenariosInvestigate tools for privacy risk mitigationReview TED talks on privacy
Individual assignmentsWhen submitting any report:
Use your own words when describing the papers or other materialyou find onlineDo not borrow words from the authors (unless you are referring to aspecific technical term, e.g., information disclosure)
Dr. Ozgur Kafalı Course Introduction Fall 2017 3 / 46
COURSE OVERVIEW
Case Studies
In class exercisesInvestigate privacy incidents
Work individually and in groupsAggregate and analyze resultsPresent findings
Play a privacy card game (if everything goes well . . . )Play individuallyPlay in groupsAnalyze strategies
Dr. Ozgur Kafalı Course Introduction Fall 2017 4 / 46
COURSE OVERVIEW
Projects
Goals:Give you experience (both research and development) on a specifictopic related to privacyCollaboration within group members as well as among groupsWork with deadlines, prepare deliverables, present work done
Work in groups of 2–3A project can be chosen by multiple groupsEncourage publication from good projects
Dr. Ozgur Kafalı Course Introduction Fall 2017 5 / 46
COURSE OVERVIEW
Research Interests
Artificial intelligenceMultiagent systemsComputational logicOnline social networks (OSN)Strategic games
Dr. Ozgur Kafalı Course Introduction Fall 2017 6 / 46
COURSE OVERVIEW
Topics
Web/Online Social Networks PrivacyArtificial Intelligence for PrivacyUsable PrivacyPrivacy PerceptionsMisc Topics
Dr. Ozgur Kafalı Course Introduction Fall 2017 7 / 46
COURSE OVERVIEW
Topics: Web/Online Social Networks Privacy
Growing privacy concerns inonline social networksSharing behaviors of usersCommon violations and regretscenariosMethods for targeted advertisingand how to mitigate thoseK-anonymity for ensuring privacyof datasets
Foursquare app: https://www.buzzfeed.com/ashleyperez/creepers-r-us
Dr. Ozgur Kafalı Course Introduction Fall 2017 8 / 46
COURSE OVERVIEW
Topics: Artificial Intelligence for Privacy
Privacy aware autonomous systemsDesign and maintenance of autonomous systems using AItechniques such as negotiation and argumentationFrameworks for elicitation, modeling, and verification of privacyrequirementsPrivacy normsPrivacy breaches as norm violations
Dr. Ozgur Kafalı Course Introduction Fall 2017 9 / 46
COURSE OVERVIEW
Topics: Usable Privacy
Designs for usable privacy interfaces
Privacy nudges for warning users of potential privacy risks
Semantic analysis of privacy policies
Dr. Ozgur Kafalı Course Introduction Fall 2017 10 / 46
COURSE OVERVIEW
Topics: Privacy Perceptions
Studies and surveys regarding human mental models aboutprivacy concerns
Differences among cultures
Longitudinal studies about changes in privacy perceptions
Dr. Ozgur Kafalı Course Introduction Fall 2017 11 / 46
COURSE OVERVIEW
Misc Topics
Crowdsourcing privacy policies
Mobile application privacy
Privacy measurement
Dr. Ozgur Kafalı Course Introduction Fall 2017 12 / 46
COURSE OVERVIEW
Learning Outcomes
Learn various evaluation methods: Empirical, formal, case studiesUnderstand personal identifiable information in databases andtechniques to anonymize and protect such informationDescribe attacks against anonymized datasetsUnderstand privacy risks when sharing personal data online anddesign mechanisms for mitigating such risksDescribe privacy requirements and AI techniques for designingprivacy-aware autonomous systemsDesign usable privacy interfaces and tools that balance privacypreserving and user functionalityIdentify and describe important elements of privacy policies andregulationsUnderstand human attitudes to and perceptions of privacy
Dr. Ozgur Kafalı Course Introduction Fall 2017 13 / 46
COURSE OVERVIEW
Outcomes (For the Instructor)
Convert some of you into the world of academics
Assignments prepared accordingly to give you researchexperience
Even if you choose a developer path, you will be able to developsoftware with privacy awareness
Dr. Ozgur Kafalı Course Introduction Fall 2017 14 / 46
COURSE OVERVIEW
Lectures
Look at a common and important privacy problemStart with problem descriptionLook at real world applications/cases and potential implicationsLearn about sample solutionsShort exercises throughoutCollaboratively analyze relevant incident(s) from the PrivacyIncidents Database (Bring your laptop)
1 Think individually2 Discuss with your neighbor3 Class discussion
Dr. Ozgur Kafalı Course Introduction Fall 2017 15 / 46
INTRODUCTION TO PRIVACY
Privacy
Privacy is very important . . . whatever it isJ. J. Thomson: “Perhaps the most striking thing about the right toprivacy is that nobody seems to have any clear idea of what it is”A good or a bad thing? A right or a preference?
Physical privacy:“Right to be left alone”“Freedom from unauthorized intrusion”
Privacy is very broadScope it to data privacy
Kieron O’Hara. The Seven Veils of Privacy. IEEE Internet Computing, 20(2):86–91, 2016
Dr. Ozgur Kafalı Course Introduction Fall 2017 16 / 46
INTRODUCTION TO PRIVACY
Oops, They Did It Again
13 hospital workers fired in LA for snooping in Britney Spears’medical records
HIPAA prohibits accessing medical records without a valid reasonViolation: Just because she’s a celebrity is not a valid reason
How to detect such violations?Role-based access controlLog accessAre those enough?
http://www.avant.org.au/news/20160622-improper-access-of-medical-records/
http://articles.latimes.com/2008/mar/15/local/me-britney15
Dr. Ozgur Kafalı Course Introduction Fall 2017 17 / 46
INTRODUCTION TO PRIVACY
How the Camera Doomed Google Glass
Early adoptersUsability: “It was not very useful for very much”Privacy: “Disturb people around me that I have this thing”
Mitigation: Use the same way we use sunglasses – usually takenoff when we’re with people
http://www.cnn.com/2013/12/10/tech/mobile/negative-google-glass-reactions/index.html
https://www.theatlantic.com/technology/archive/2015/01/how-the-camera-doomed-google-glass/384570/
Dr. Ozgur Kafalı Course Introduction Fall 2017 18 / 46
INTRODUCTION TO PRIVACY
Target Discovers Pregnancy Before Parents
Identify 25 products that indicate potential pregnancy, sendcoupons accordinglyDad goes to store to show coupons sent to her teenage daughterMitigation: Mix in ads that pregnant women never buy, so babyads look random
http://www.businessinsider.com/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2
Dr. Ozgur Kafalı Course Introduction Fall 2017 19 / 46
INTRODUCTION TO PRIVACY
Privacy Definitions
Numerous examples
Let’s try to come up with some definitions
Dr. Ozgur Kafalı Course Introduction Fall 2017 20 / 46
INTRODUCTION TO PRIVACY
Privacy Incidents
An instance of accidental or unauthorized collection, use orexposure of sensitive information about an individual
An event that creates the perception that unauthorized collection,use or exposure of sensitive information about an individual mayhappen
https://sites.google.com/site/privacyincidentsdatabase/
Dr. Ozgur Kafalı Course Introduction Fall 2017 21 / 46
INTRODUCTION TO PRIVACY
Data Collection, Storage, and Usage
Collection: What personal information is collected byorganizations?
Storage: How do organizations store personal information? Is itkept secure?
Usage: How do organizations use personal information? Whomdo they share it with? Do they make users aware, e.g., ask forconsent?
Dr. Ozgur Kafalı Course Introduction Fall 2017 22 / 46
INTRODUCTION TO PRIVACY
Contextual Integrity
Ensuring appropriate information flows respectful of social normsin a given contextNorm: Patient health information should not be disclosedContext:
During a consultation, it’s appropriate for a patient to disclosehealth information to the doctorDoctor may consult a colleague about the patient to exchangediagnosis
How about doctor disclosing health information to a doctor friendat a party? Same action, different setting
Nissenbaum. Privacy in Context: Technology, Policy and the Integrity of Social Life. Stanford University Press, 2009
Dr. Ozgur Kafalı Course Introduction Fall 2017 23 / 46
INTRODUCTION TO PRIVACY
Normative Privacy
Norms, expectations, conventions, regulationsWhen a crime victim tells police about perpetrator, does it violatecriminal’s privacy?In this case, the norm works against privacy, for good socialreasons
Alice wants personal spacePuts a fence around her houseFew people cross itAlthough there’s nothing physical to stop them
Patient consultation example: Alice expects confidentiality (herhealth information won’t leave the medical system)
Kieron O’Hara. The Seven Veils of Privacy. IEEE Internet Computing, 20(2):86–91, 2016
Dr. Ozgur Kafalı Course Introduction Fall 2017 24 / 46
INTRODUCTION TO PRIVACY
Sociotechnical Systems
People and software
Technical and social considerations meet
InteractionsUser use softwareUsers interact with each otherSoftware components communicate with each other
Dr. Ozgur Kafalı Course Introduction Fall 2017 25 / 46
INTRODUCTION TO PRIVACY
Laws and Sanctions
Norms can be turned into laws or regulationsNot only conventional but also compulsorySanctions would apply in case of violationsPrivacy law: Organizations’ practice with personal data
Kieron O’Hara. The Seven Veils of Privacy. IEEE Internet Computing, 20(2):86–91, 2016
Dr. Ozgur Kafalı Course Introduction Fall 2017 26 / 46
INTRODUCTION TO PRIVACY
Privacy Engineering
Integrating privacy solutions into everyday engineering practices
Data protection requirements
Beyond data breaches: Perceptions matter too
Seda Gurses and Jose M. del Alamo. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Security& Privacy, 14(2):40–46, 2016
Dr. Ozgur Kafalı Course Introduction Fall 2017 27 / 46
INTRODUCTION TO PRIVACY
Transitional Privacy
Privacy through friends
Cannot always control what other people do
Dr. Ozgur Kafalı Course Introduction Fall 2017 28 / 46
WHAT TO EXPECT
Typical Privacy Problems
Identify common privacy problems
Analyze sample solutions
Dr. Ozgur Kafalı Course Introduction Fall 2017 29 / 46
WHAT TO EXPECT
Inference
http://www.huffingtonpost.com/2013/11/13/smartphones-restrooms-bed-use-survey n 4266701.html
Dr. Ozgur Kafalı Course Introduction Fall 2017 30 / 46
WHAT TO EXPECT
Inference Possible
The guy on the left is significantly different from the othersWhen you see him outside (new information), you might recognize
Dr. Ozgur Kafalı Course Introduction Fall 2017 31 / 46
WHAT TO EXPECT
Anonymization of Datasets
Provide researchers with useful dataProtect user privacy by anonymizing columns and rows
Dr. Ozgur Kafalı Course Introduction Fall 2017 32 / 46
WHAT TO EXPECT
Sharing Content
https://www.ted.com/talks/alessandro acquisti why privacy matters#t-53301
Dr. Ozgur Kafalı Course Introduction Fall 2017 33 / 46
WHAT TO EXPECT
Unintended Disclosure
Intrusion, embarrassmentUnintended audience
http://www.cbsnews.com/news/senator-pat-roberts-unexpected-ringtone-frozen-let-it-go/
Dr. Ozgur Kafalı Course Introduction Fall 2017 34 / 46
WHAT TO EXPECT
Sharing vs Revealing
To whom your shared content will reach
“If I cannot shout it out in the middle of downtown, I’d not say itonline”
Differential privacy: You may share, but not reveal anything
Dr. Ozgur Kafalı Course Introduction Fall 2017 35 / 46
WHAT TO EXPECT
Regrets
Regrettable actions, e.g., send email to wrong recipientsHow to avoid those
Dr. Ozgur Kafalı Course Introduction Fall 2017 36 / 46
WHAT TO EXPECT
Targeted Advertising
Look at shoes at store They come with you to the news
How does it happen?How can you avoid it?
Dr. Ozgur Kafalı Course Introduction Fall 2017 37 / 46
WHAT TO EXPECT
Multiparty Privacy: Argumentation
After tsunami disasterArguments for/against sharing the picture
Not share: Hand gestures not appropriateShare: Shows difficult situation of survivors, would encouragepeople to help
Fogues et al. Sharing Policies in Multiuser Privacy Scenarios: Incorporating Context, Preferences, and Arguments in DecisionMaking. ACM Transactions on Computer-Human Interaction, 24(1):5:1-5:29, 2017
Dr. Ozgur Kafalı Course Introduction Fall 2017 38 / 46
WHAT TO EXPECT
AI for Privacy: Negotiation
Runtime configuration of app permissionsNegotiation between the user and the app provider
Dr. Ozgur Kafalı Course Introduction Fall 2017 39 / 46
WHAT TO EXPECT
Usable Privacy
Utility vs privacy: You want my password or a dead patient?How to prevent privacy messing up functionality?
Koppel et al. Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies inHealth Technology and Informatics, 208:215220, 2015
Dr. Ozgur Kafalı Course Introduction Fall 2017 40 / 46
WHAT TO EXPECT
Metrics and Measurement
How much privacy is enough? Or too much?
https://pusz4frog.wordpress.com/category/technology-2/
Dr. Ozgur Kafalı Course Introduction Fall 2017 41 / 46
WHAT TO EXPECT
Privacy Policies
Nobody reads privacy policiesFacebook privacy policy is longer than the US constitution
http://www.huffingtonpost.com/2010/05/12/facebook-privacy-policy-s n 574389.html
Dr. Ozgur Kafalı Course Introduction Fall 2017 42 / 46
WHAT TO EXPECT
Westin Privacy Index
Classify the public into three categoriesFundamentalist (25% of Americans): Distrustful of organizations,refuses to give out personal informationPragmatist (55% of Americans): Weighs the value of consumeropportunities, aware of privacy risksUnconcerned (20% of Americans): Doesn’t know what the“privacy fuss” is about
Westin. Privacy and Freedom. Administrative Law Review, 22(1):101–106, 1969
Dr. Ozgur Kafalı Course Introduction Fall 2017 43 / 46
WHAT TO EXPECT
Privacy Surveys
Why are user studies on privacy not convincing?Question: How would you feel about a mobile app that tracks yourlocation whereever you go? [You cannot turn it off]How about: The app offers discount coupons based on yourfavorite locationsHow about: The app sends your location to third parties. . . potentially malicious people might access your locationIncentives change based on circumstancesPrivacy paradox: Reported vs actual behavior
Dr. Ozgur Kafalı Course Introduction Fall 2017 44 / 46
WHAT TO EXPECT
Cultural Differences
Not so private More private
Dr. Ozgur Kafalı Course Introduction Fall 2017 45 / 46
WHAT TO EXPECT
Wisdom of Crowd
Dr. Ozgur Kafalı Course Introduction Fall 2017 46 / 46